I have a website that accepts Facebook login. When the user clicks the FB login button, it logs the user into his/her FB, retrieves the user info, and uses that info to login the user at my own backend. After successful login, the page jumps to the main site. For logout, it's the same. I first log the user out of his Facebook, and then out of my own backend (flush the session).
The problem is that the FB login at my site gets mixed with Facebook sessions at other places. If a Facebook loggedin user logs out (FB.logout()), his/her Facebook website will also be logged out. And if the user has logged in his FB somewhere else, when he comes to my site, the FB login button shows a already-logged-in state. But the getLoginStatus() actually shows the status as 'unknown' instead of 'connected', so the page doesn't jump. He has to logout, and then login again, which is pretty weird.
I wonder if there's a descent way to handle this, separating FB sessions at different places. This also applies to other third party authentication issues.
Related
I wonder what kind of workflow other people have had when logging in with facebook.
I have an app that requires signup. People can also signup by logging in via facebook. That part has been integrated.
However, when a user signs in with facebook (which means: facebook page open and requires login), my workflow
takes the user to a screen where he needs to create a username (as having a username is required).
After the user picked up a username, then I create this new user, save the facebook token and generate a password.
Now, automatically, the user will be logged in in my app.
Next time the user opens the app, in background, I will login the user taking the email (which originally was fetched from facebook) and the password, which are stored in local storage.
But what if the user logs out or delete the app and reinstall it? I have seen that this happens some times. In that case, the workflow (if the user clicks on facebook login on my app) will take the user again to facebook. And after he logs in in facebook, he will come back to my screen where he can choose a username. This is bad. Because I already created an account for the user with the email binded to that facebook account.
Of course, I can understand that this user that logs in via facebook already has an account. But what can I do? Can I just login him in background? Are there any security implications (yeah, my app is not that sensitive, but I would prefer to use best practice).
Yes, if the user already logged in once, the expected behavior is to be logged in again on future visits to the app. If the user passed the Facebook login, you can safely assume that it is the same user imho.
I'm using the Manual Login Flow from facebook to login users to my site. This means, redirecting them to accept the app, and the getting their info. (my app is also physical, ==> one browser for many people)
I got it working as I wanted, however, as they are only redirected to login, they are kept logged-in at browser-level, meaning that if another user comes after them and tries to login, they will only be shown the other person's profile, or be redirected as if they logged in.
Thus, I need a log-out method at browser-level, but I can't find any links, or api to logout a user from the browser.
Does anyone know how?
Thanks!
I have read many questions in a similar area to this and after reading about 20+ my problem is not discussed.
I have a web app using facebook login via the facebook SDK.
This is working fine on the website side of things.
However when using the getLogoutUrl( ) the users are not logged out of facebook.
I have done both destroying the facebook session (via the destroySession method) before and after (in the redirected page) accessing the getLogoutUrl link and I am still logged into facebook.
The user is not longer logged into my site but facebook remains unchanged.
I would expect that when a user accesses the link provided by getLogoutUrl that they would be logged out of facebook. However all that happens is the user is redirected back to the site and the user is still logged into facebook.
So my websites side of things works fine. But providing the facebook logout link implies that they are logged out of facebook and can walk away.
Where as in reality the users accounts is still logged in on facebook.
Why is this happening?
I cannot control facebook so I do not know what else I can do other than forwarding to the user to the logout link provided by getLogoutUrl.
I am using Facebook PHP SDK (v.3.2.2)
If a user follows a link to my Facebook application (apps.facebook.com/instantinternetstar) and they are not currently logged into Facebook they are allowed to enter the Application instead of being prompted to 1st log into Facebook and 2nd grant permissions via Auth Dialog.
If a User is logged into Facebook, the new Enhanced Auth Dialog works perfectly and always.
Is there a variable I have missed?
Your settings may be fine. What you can do on the default page of http://instantinternetstar.com is to query the http post parameter called signed_request, decode it and it will tell you if the user is authenticated or not. Then you can display something to them so they know what you're about, before they take their time to login to Facebook, then accept your app.
well i have used the facebook api couple of times. But last day i just came across a site which was really new to me. Heres the scenario
If a user is logged in at facebook and comes to my site, he will
automatically be logged in without asking him and also if user logs
out of my site he gets logged out of facebook. But the site i saw
yesterday, they had handled it perfectly, user dose not logs in their
site automatically and even if user logs out from their site, he does
not gets logged out of facebook.
So any help? what is this technique called? or any relevant help?
Best Regards
most site handled the login/authenication by using the login status of the user at facebook ends.
to do what u wants, simply add an additional layer of authentication / login status checking at your own site.
The site level login status is to be retained only for the current session. In other words, once the user went away from the site, the site level login status is gone. With this, when the user returns, you know that he needs to login again.
when the user logged out from your site, you only log him out of your site and do nothing about facebook login
Using the Facebook SDK it will likely tell you the user is logged out when not logged into Facebook, which in theory is the correct behaviour of the whole system, as Facebook want user's to always be connected to Facebook, I quote facebook:
As long as the user is signed into Facebook, they are automatically signed into your site as well.
So if they aren't connected to Facebook, you aren't connected to other sites. In a way it's a deterrant and increases Facebooks market.
But anyhow, it's likely the site you are describing are implementing their own authentican system rather than using Facebook's own SDK, or if they are using the SDK they are using it in moderation and understand about cookies/the above.
The flow to allow the user to be logged into Facebook but out of your site is as so:
When a user logs out of their site, it will unset session data for the site's own application, and also unset Facebook cookies, etc. That way the user is still logged into Facebook but out of your site.
When they try to log in again, Facebook will detect no cookies are available and hence will re-authenticate and pass you onto the url as passed during the authentication process. Your site will then login the user to the site's own application, setting any session variables, etc.
you need to check how you are handling the FB logins and sessions at your end..
my guess is you check the is login at your site and there are some access_tokens which are as per your app id in the cookies of your browser which are helping you to log in ..
and when logging out from your site you are explicitly logging out the user from FB as well
( thats what you are describing atleast )
you seem to be explicitly calling logout or clearing the cookies for fb app id ..